It’s no secret that the two technology power houses, Microsoft and Google, often don’t see eye to eye. The latest heated discussion erupted over Google’s decision to publicly reveal a security flaw in Windows 8.1 just 2 days before Microsoft was due to issue a patch.
Google’s disclosure concerned a bug which allows low-level users to adopt administrative privileges, granting themselves elevated access to sensitive areas they would not normally be able to get into. Microsoft has since pointed out that valid login credentials were required to exploit this flaw, although that wouldn’t necessarily prevent access in a company environment by [say] an employee with an axe to grind.
In a somewhat lengthy blog post, Senior Director of the Microsoft Security Response Center Chris Betz asserted that the threat landscape is becoming increasingly complex, and called for… “security researchers and software companies to come together and not stand divided over important protection strategies, such as the disclosure of vulnerabilities and the remediation of them.”
In Google’s defense, its Project Zero policy clearly states that the project will disclose vulnerabilities publicly, as well as code required to exploit bugs, but only after affected companies fail to take positive action during a 90-day deadline following notification – Microsoft was actually notified on October 13th 2014. The 90-day deadline passed, no fix was forthcoming, and so the vulnerability was subsequently disclosed. However, Mr. Betz says Microsoft requested that the details of the vulnerability be kept quiet until this month’s Patch Tuesday, which was due just two days after Google’s disclosure.
As with many of these instances, there is a case to be made for both sides. On this occasion however, I happen to agree with Microsoft, for the following reasons:
- Microsoft knew of the vulnerability and was planning to patch same, all of which Google was obviously aware
- The vulnerability could only be exploited on computers with zero login credentials required or by persons who knew the login credentials
- Microsoft had acknowledged the presence of the flaw privately to Google, informed the latter of a due date for a patch, and requested it be kept schtum in the interim – for obvious reasons
While I am all for any type of watchdog policy that helps keep the b*st*rds honest, I can’t see that this disclosure by Google helped users in any way, shape, or form – quite the opposite. It smacks more of a “gotcha” than any benevolence on Google’s part.
Personally, I reckon it’s well and truly time these behemoths began cooperating in the best interests of consumers as a whole rather than playing their political games of one-upmanship. And that goes for the likes of Apple and Samsung too. I wonder how much less expensive their products might be minus the costs incurred per medium of the seemingly incessant flow of lawsuits.
We’ll settle out of court – it’s only $5 million – just up the retail price and we’ll soon recoup all that, and some.
What do you think?
